Approach to implementation


Last reviewed
Approach to implementation 
e.g amendments to existing law, total repeal of old laws
Austria  05.06.2018 Overall, the Austrian legislator used just a few opening clauses of the GDPR in a very moderate way highlighting a minimalistic approach to safeguard full harmonization. However, the ADPA nevertheless provides for some specific local provisions.

Further, special data protection provisions will follow in other Austrian laws since the ADPA is limited to the general provisions. Thus, we will learn in the future whether the Austrian legislator keeps up with its restraint or if stricter local rules will come through the backdoor of specific laws. 
Belgium 17.05.2018

It is not yet certain which approach will be taken in the implementive legislation. It is however expected that this act will replace and repeal the Act of 8 December 1992 concerning the protection of privacy with regard to the processing of personal data (""BPA"").

The Act of 3 December 2017 establishing  the Data Protection Authority repeals the relevant chapters of the BPA related to the current Belgian Privacy Commission.

Czech Republic 16.05.2018 DPA No. 101/2000 Coll. to be repealed by the new DPA. Multiple existing laws (e.g. Civil Procedure Code, Criminal Procedure Code) to be amended by an Amending Act []. The new DPA shall also partially transpose the Law Enforcement Directive.
Denmark 22.05.2018 Will replace current Data Protection Act with a new Data Protection Act on 25 May 2018
Finland 17.05.2018 The new Data Protection Act will abrogate the current Personal Data Act. It is still unclear how the GDPR will affect several hundred laws that currently include specific rules on data protection.
France 22.05.2018 This bill modifies the current act N°78-17 of 6 January 1978 on information technology, data files and civil liberties. 
Germany 23.05.2018 Almost all opening clauses are used. GDPR-regulated areas are combined with out-of-scope-areas such as law enforcement and national security.
Hungary  17.05.2018 According to the published draft bill the InfoAct is going to remain in force but its scope will be limited to data processing activities which are not within the scope of the GDPR. As far activities covered by the GDPR are concerned, only certain provisions of the InfoAct will be applicable. These provisions will be listed in Article 2 of the InfoAct (in its amended form).
Update (04 December 2017): it seems that the Ministry of Justice has recognized that the structure of the first draft was hard to interpret, and that the new InfoAct should be more 'user friendly'. 
Update (16 May 2018): There is no news on the approach of the Ministry of Justice regarding the amendments of the InfoAct.
Ireland  07.06.2018  The Data Protection Act 2018 (the “Act”) covers both the GDPR and the Law Enforcement Directive.

The Data Protection Acts 1988 and 2003 (the “1988 and 2003 Acts”) are largely superseded. Under section 8 of the Act, the 1988 and 2003 Acts will continue to apply to (a) the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, and (b) the processing of personal data under certain forensic evidence and vehicle registration legislation.

The Act provides for certain exemptions from the data subject rights and related obligations provided for under the GDPR. Further exemptions may be specified by secondary legislation.
Where the Act provides that processing of personal data in certain contexts must be subject to “suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects”, section 36(1) of the Act provides a non-exhaustive list of such measures. Secondary legislation may be enacted for the purpose of (a) identifying additional suitable and specific measures which may be taken, or (b) specifying that measures referred to in section 36(1) of the Act are mandatory. 
Italy 17.05.2018 The Scheme will amend the IDPA provisions in conflict with GDPR.
Netherlands 17.05.2018 GDPR Execution Act (""UAVG"") is to repeal the current Dutch Data Protection Act (""Wbp""). 
On 9-12-2016 the Dutch Ministry of Security & Justice (in charge of privacy and data protection matters) issued the GDPR Execution Act (Uitvoeringswet Algemene Verordening Gegegevensbescherming). Purpose of this Execution Act is to effectuate the GDPR and repeal the current Dutch Data Protection Act (Wet bescherming persoonsgegevens).
Poland 16.05.2018 Current Data Protection Law will be repealed and replaced by PDPA. The Inspector General for Personal Data Protection (GIODO) will be replaced by the President of the Personal Data Protection (PUODO). ASA will introduce amendments to the existing sectoral acts.
Spain 16.05.2018 Organic Law 15/1999 will be repealed and replaced by the new Data Protection Act.
Sweden 22.05.2018 Personal Data Act (1998:204) will be repealed and replaced by the Data Protection Act containing supplementary provisions to the GDPR.
UK 23.05.2018

Repeals Data Protection Act 1998

Further Statutory Instruments are anticipated 

In addition to implementing GDPR related provisions, the Act contains additional provisions to:

  • address the gaps left by repeal of 1998 Act and to apply a broadly equivalent regime to certain types of processing which GDPR does not cover;
  • implement the Law Enforcement Directive; and 
  • cover processing  of personal data by intelligence services.